Deadlock in Linux kernel - CVE-2026-45895
Published: May 28, 2026
Vulnerability identifier: #VU132597
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45895
CWE-ID: CWE-833
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a livelock condition in quotactl_block() when waiting for a frozen filesystem to thaw. A local user can repeatedly toggle quota operations during filesystem freeze activity to cause a denial of service.
The issue is reliably triggered on non-preemptible kernels when the freezer and quota operations run on the same CPU.
How to mitigate CVE-2026-45895
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12
- https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82
- https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf
- https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d
- https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39